Courtesy of GhostPrototype from the totse2 archives circa 2012. Kali Linux has replaced BackTrack now, so you'll want to download that
instead. At the time of this writing, I can't confirm if Kali and BackTrack work exactly the same, but the basic principles of this tutorial should be the same. Ignore mentions of BackTrack and replace them with Kali in your brain:
Too many times, have I found myself at an extreme inconvenience due to a crippling lack of internet. Looking for available wireless networks, it's disappointing to find nothing but locked access points. But, are they really too locked? This tutorial will explore a few methods of gaining access to wireless networks. Keep in mind, that following this tutorial without consent of whomever owns the networks you attack may be illegal where you live. Use caution, and don't break the law, k? I'm not responsible for your actions. Now that that's out of the way, let's get to cracking.
First thing you need to do, is get your hands on a Linux OS. Why Linux? Because there are many great tools available, that are more capable than their Windows counterparts. If you don't know where to start, I'd recommend the
Backtrack 5 OS Kali Linux, available from
www.backtrack-linux.org/downloads/ http://www.kali.org/downloads/ as a burnable .iso file. If you have Windows 7, right-click the .iso file and click "open with Windows Disk Image Burner", to burn to a DVD. If you don't have Win 7, and don't know how to burn a .iso, I might recommend the software CD Burner XP. It's small, free, and will do the job. If you have a USB drive available, there is a
Backtrack release for them available as well, and directions can be found on the
backtrack-linux http://www.kali.org/downloads/ website.
Boot from the DVD. You may have to select your optical drive from a boot menu at power-on. If prompted for a version of Backtrack to load, just select the default. Once the computer boots to a # prompt, type 'startx' without the quotes to launch the GUI. Welcome to the Backtrack 5 desktop. We're ready to get started. Open a command prompt "konsole" on
BT5. The first thing we must do, is enable monitoring mode on our wireless card. Enter "airmon-ng start wlan0" without the quotes. This creates a virtual wireless interface called "mon0". We will use this, instead of "wlan0" (the common name for the primary wireless card on linux systems), in all of our commands. Protip for future use: holding "Ctrl" and pressing "c" stops the application in the current window. This is useful later on.
We'll be using the aircrack-ng suite for most of our cracking. If you aren't running Backtrack, and don't have it installed, you can get it by running "wget
http://download.aircrack-ng.org/aircrack-ng-1.1.tar.gz", unpacking with "tar -zxvf aircrack-ng-1.1.tar.gz", and then running "./configure", "make" and "make install" at it. If you've already got a linux installation, this shouldn't be too difficult for you.
CRACKING WEP"Wired Equivalent Privacy" is the most basic form of security available on most routers. It is still commonly used, which is surprising, as it is the easiest to crack. For testing purposes, I set up a wireless router at my apartment with 64-bit WEP encryption, affectionately named "DongsLOL" for the network name (SSID). To find which networks are near you, we'll use the Airodump-ng command. In my example, I used the command "airodump-ng -w /media/disk/capture mon0" without quotes. This executes the airodump-ng program, writes the output to a file saved in the directory /media/disk/, and used the wireless interface mon0. Keep in mind, that airodump will automatically append "-01.cap" to the end of the file, so in my example, it saved it as "capture-01.cap". If you're running Backtrack, I might recommend you change the directory to "/home/root".
Here's my output for the airodump command:
Here's a run-down of the important things:
BSSID - the device's MAC address.
PWR - signal strength. If you have shit signal, it will take longer to crack, if you can at all.
Beacons - transmitted from the wireless router, they tell whatever devices that can pick them up that they exist. This is how your computer normally detects a wireless access point.
#Data - Received packets
ENC - Type of Encryption
ESSID - Name of the network.
STATION - clients (such as laptops, phones, and other wireless-enabled devices) that are connected to the BSSID listed adjacent to it.
Okay, so now that we have our bearings on what exactly is going on around us, let's select a target. As I stated previously, I want access to dongslol. So, we will use the program aircrack-ng to decrypt the captured packets.
I used the command shown in the image below.
I apologize for the double-image - Backtrack5 default uses transparent windows, and I had airodump running in the background. The extra commands I added, were "-a 1" to force attacking WEP verses WPA, "-n 64" to force 64-bit keys, and "-s" to show the key as it's being cracked. Otherwise, the basic input for this command is "aircrack-ng (filename)"
As you can see, we captured almost 80,000 packets from dongslol. It's labeled as number one in our packet capture, so we select it by entering "1" at this prompt. If all goes well, you should see something similar to this:
In our example, "01:23:45:67:89" was my WEP key. We successfully cracked into a 64-bit WEP network.
If you are unable to get in, after capturing over 75k packets, start adding the "-f" command, starting with "-f 2", then if it continues to fail, progress through "-f 4", "-f 8", and "-f 16". In the program aircrack, this is called the "fudge factor". It expands the program's scope for brute-forcing the encryption key from the packets. A higher fudge factor increases cracking length, but also increases the liklihood of discovering the WEP key.
If we've reached over 100k packets, I might recommend switching to 128 bit cracking. I re-set up my network (renaming it to dongsII) with 128-bit WEP encryption.
I tried cracking the 128-bit key a few times, without success. I had to let it run, and capture additional keys. However, I finally got through, a little bit after the 100k packet mark.
CRACKING WPA / WPA2
"Wi-fi Protected Access" is the most common form of wireless encryption. It's much more robust than WEP, and to my knowledge, it's impossible to crack with the above method. Luckily for us, there is still a way to get in!
In my example, I started with the airodump-ng command, saving the captured data to /home/root/wpa this time. My capture file was named wpa-01.cap.
"airodump-ng -w /home/root/wpa mon0"
This time, my dongsII network (which I forgot to change to dongsIII. Drats.) showed in the airodump window as WPA2. We know there is someone connected, because we are receiving data packets, and we can see a device with MAC address 00:1B:77:BA:02:69" is connected to BSSID 00:18:39:C3:A4:C9, which corresponds with the dongsII network. Running aircrack-ng against the capture file, shows the following:
This time, we notice instead of IVs, it says 0 handshake. This is because instead of capturing every packet, we need to capture a device connecting to the wireless access point. This is known as a 'handshake'. We have two options. We can wait for another device to connect to the network, but that is boring. We know someone is connected, so we'll get a little creative. We're going to perform a deauthentication attack, to trick the client into thinking it was disconnected, and attempt to reconnect. We will use the aireplay-ng software. In another konsole window, we run the following:
"aireplay-ng -0 0 -a 00:18:39:C3:A4:C9 -c 00:1B:77:BA:02:69 mon0" without quotes.
"-0 0" tells aireplay-ng to run a deauthentication attack, continuiously. If we change the second 0 to any other number, it will perform the deauth that many times. "-a" tells it which BSSID to connect to. "-c" tells it which client to deauthenticate.
Here is what the output will resemble:
Let's check back on our capture file in our first window.
As you can see, we've successfully captured the reconnection handshake! The final step in this process, is to go at it with a dictionary attack. I re-ran the aircrack-ng program, with the command:
"aircrack-ng /home/root/wpa-01.cap -w /pentest/passwords/wordlists/*" without quotes. In Backtrack 5, there is a wordlist file at /pentest/passwords/wordlists/, called darkc0de.txt, or something like that. I couldn't remember, so I told it to include all files in that directory by using the wildcard. There are numerous wordlists available online, if you wish to expand the possible combinations. aircrack can only decode WPA networks with a dictionary attack, so if the password isn't in the dictionary file(s), you won't be getting in this way. Here's the output during the attack:
This can take some time, so sit back and think about your life. Where are you going? How will you get there? The trick here is to be patient, or to do something else. Let your computer do its thing. If all goes well...
Congradulations, you've hacked in to a WPA or WPA2 network! In my example, it took a hair over 26 minutes.
WPS HACKING
"Wireless Protected Setup" isn't an encryption, rather, it's a way most new routers allow users to connect. It's also EXTREMELY vulnerable to attack. My favorite thing about this attack, is that it doesn't require a client to be connected to the access point for it to work! We will use a program called Reaver for this attack. It is not included in Backtrack, so you'll have to either install it while you do have internet, or carry the file on a USB drive. You can get the software from
http://reaver-wps.googlecode.com/fil...ver-1.4.tar.gzIf you wish to download a fresh copy on Backtrack 5, run the following commands in a konsole window, one line at a time:
wget
http://reaver-wps.googlecode.com/fil...ver-1.4.tar.gztar -zxvf reaver-1.4.tar.gz
cd reaver-1.4/src
./configure
make
make install
On my laptop running Crunchbang linux, I had to run the following before Reaver would install with the previous commands:
apt-get install flex
apt-get install byacc
apt-get install libsqlite3-dev
wget
http://www.tcpdump.org/release/libpcap-1.2.1.tar.gztar -zxvf libpcap-1.2.1.tar.gz
cd libpcap-1.2.1
./configure
make
make install
cd ..
Now, Reaver is set up, and ready to go! First, let's check for WPS enabled routers near us with a program included with Reaver, called Wash:
I didn't have a wireless router with WPS available for testing, so I decided to do some real-world penetration testing. After gaining permission from the owner of the network "The Teacher's Aide", I began my attack. Since my target was on Channel 2, I turned off mon0 with "airmon-ng stop mon0" without quotes, and restarted it with "airmon-ng start wlan0 2", to restart it only on that channel. Then, I ran Reaver against it:
This will take a while. I let it run overnight. It may show multiple time-out messages, but they can generally be ignored. After returning in the morning, I found the following:
I had made it through! I now have the access PIN to the network, and can connect. For reference, I retyped the command I ultimately used, while tweaking it here and there in an attempt to boost performance. The -vv command told Reaver to show all output and errors. "-d 5" set a delay of 5 seconds to each PIN it tries. To see all the commands Reaver supports (including seeing what the rest of those options do) just type 'reaver' without any options.
That's the end of my tutorial! Post with any feedback, questions, or tips! Have fun!
